ssh_exchange_identification: RESOLVED

To: debian-user@lists.debian.org
Subject: ssh_exchange_identification: RESOLVED
From: Will Trillich <will@serensoft.com>
Date: Sun, 15 Jun 2003 23:40:19 -0500
Message-id: <[🔎] 20030616044019.GA12762@mail.serensoft.com>
Mail-followup-to: debian-user@lists.debian.org

in traveling the course to solve a "can't connect adjacent
boxes without first jumping outside the local netgroup"
problem, i ran across a situation that seems to merit comment--

i've solved the original problem i had, which was that i
couldn't ssh from A to C (nor vice-versa) but i could ssh from
either A or C to an outside box B, and then back in to the
target computer (C or A).

	A 10.1.1.1    local LAN
	B 10.10.10.10 way the heck Out There
	C 10.1.1.5    local LAN

the error was:

	will@10.1.1.1$ ssh 10.1.1.5
	ssh_exchange_identification: Connection closed by remote host

vice-versa (from C to A):

	will@10.1.1.5$ ssh 10.1.1.1
	ssh_exchange_identification: Connection closed by remote host

A and C are on a subnet (29 bits as in 255.255.255.248) which B
is not a member of, if that's important. there's also a firewall
[clarkconnect.org] as one of the nodes on the subnet (but
neither A nor C are behind the firewall).

the obstruction was in fact /etc/hosts.deny and
/etc/hosts.allow, which contained basically just one line:

	ALL : PARANOID : deny

which makes any incoming connection whose reported hostname that
does NOT jibe with the looked-up hostname, die because of
paranoiac security restrictions.

since dns is overkill for such a small group, my connect
attempts showed up as "paranoid-style-reject" based on the
hosts.deny instruction. as it should have.

(once i found "ssh -v" my debug time shortened considerably!)

===

here's the snag:

i tried adding

	ALL : 10.1.1.1/29 : allow

and it didn't work, of course, because as the documentation
says, you use net.net.net.net/mask.mask.mask.mask not
net.net.net.net/bits as i'd hoped.

fine.

	ALL : 10.1.1.1/255.255.255.248 : allow

this STILL REJECTED ALL LEGIT ATTEMPTS! from 10.1.1.0 to
10.1.1.8, all connection attempts were denied! (both in practice
and as predicted via tcpdmatch.)

so i changed it to

	ALL : /etc/hosts.local.allow : allow

and added the IP's to /etc/hosts.local.allow such as

	10.1.1.1
	10.1.1.2
	10.1.1.3
	10.1.1.4
	10.1.1.5
	10.1.1.6
	10.1.1.7

and THAT worked.

unless i seriously misread the docs, tho, shouldn't
N.N.N.N/M.M.M.M work as above?

-- 
I use Debian/GNU Linux version 3.0-bunk-1;
Linux server 2.4.20-k6 #1 Mon Jan 13 23:49:14 EST 2003 i586 unknown
 
DEBIAN NEWBIE TIP #96 from Joost Kooij <joost@topaz.mdcc.cx>
:
Did you know that you can SWITCH BETWEEN VIRTUAL CONSOLES using
leftalt+cursor{left,right}? To change from vc4 to vc5, press
alt-cursorright.  Going back to X from vc1 is as simple as
alt-cursorleft. (It doesn't work when you're already within
X11, though -- but control-alt-F1 does.)

Also see http://newbieDoc.sourceForge.net/ ...

Reply to:

Prev by Date: Re: Totally Remote Debian Install Help
Next by Date: Problems with network in graphic mode
Previous by thread: Re: APT newbie question
Next by thread: Problems with network in graphic mode
Index(es):
- Date
- Thread